At the HCCA regional conference in Portland earlier this year, I heard that a speaker said that only the NIST 800 series risk analysis standard is acceptable for a Meaningful Use risk analysis. However, while the NIST standard is one acceptable methodology for healthcare organization risk analyses, it’s not the only one. In the end, the Meaningful Use risk analysis is the same one as the HIPAA Security Rule already requires. Neither the OCR nor the Rule requires a single standard be followed to conduct a risk analysis.
Risk Assessment tools available on the market range from the very simple to the very complex. If you prefer the simple approach, check out this risk assessment tool developed by the Office of the National Coordinator for Health Information Technology (ONC). Both the OCR and CMS point to this tool as a valid way to conduct a risk analysis. Ultimately, you simply need to conduct a thorough risk analysis that looks at a greater scope than just the risks associated with your EHR and your technical infrastructure.
Our Risk Analysis Guidelines
Apgar and Associates has a simple guideline for conducting a risk analysis that might help, and I’ve included it here for your convenience. It all comes down to you choosing the methodology. My strong recommendation is that you make sure you’re assessing the risk to your PHI, systems, applications, facilities and so forth.
Also, it’s important to remember that if you’re attesting to Meaningful Use Stage 2, you need to assess the risks associated with data at rest (stored data / PHI). If you need help conducting your healthcare organization’s risk analysis, please give us a call. You can find more about our risk analysis and other privacy and security services on our web site.
More Risk Analysis Guidance & Tips
CMS published this tip sheet that states there’s really no one single methodology. And although it’s rather dry reading and typically more applicable to large entities, if you’re interested in following the NIST guidance, check out NIST SP 800-30, Revision 1. You can also check out OCR’s guidance on the subject.
Are you trying to figure out what risk analysis methodology makes sense for your particular healthcare organization? Please call us at 877-376-1981; we’re scheduling now.